On 10/11/98 17:50:55 you wrote:
Is there any way to log CIFS logins? We are using unix authentication, NIS enabled, and default logging (no /etc/syslog.conf file). We're running 5.0.2.
Not that I know of (cifs sessions will give you the current ones), but perhaps someone more in the know could say for sure...
Is there any way to coax our filer to log the time and loginid of each CIFS login?
CIFS users don't "login" per se, although there are connections that are made and closed associated with a connection. There is the general network authentication, but you say you're using UNIX authentication, not NT.
This information is essential for system administration in a university environment.
Why? You don't have this information available for NFS access. Sure, you record the UNIX login, but you do that in a different place... at the server. A person with a PC and and NFS client could just as easily make a NFS "login", that is make an NFS request as a given userid, without your logging it, just like they can CIFS. Of course, you can restrict all of your NFS access by hsotname, but that's beside the point.
The point, I think, is that you're looking in the wrong place. If you want to record logins that could then potentially make CIFS requests, you should be doing it at the PC itself, or use NT authentication.
Still, given particular situations, logging CIFS sessions would be useful. So would logging PC-NFS sessions, which I know some servers do but I don't think the filer does.
Bruce
This information is essential for system administration in a university environment.
Why? You don't have this information available for NFS access. Sure, you record the UNIX login, but you do that in a different place... at the server. A person with a PC and and NFS client could just as easily make a NFS "login", that is make an NFS request as a given userid, without your logging it, just like they can CIFS. Of course, you can restrict all of your NFS access by hsotname, but that's beside the point.
We naturally have a high user turnover rate. We also do a lot of bulk account creations for incoming first year students. So we end up adding and deleting several thousand accounts every year. Before doing a bulk delete of 3 or 4 thousand accounts, we like to see which ones are actively in use so that we can email the owners and warn them that their account is going away soon. An account with no use since before graduation we can simply remove without notice. (We don't have to send email, but it's polite. Besides, these folks will be rich alums some day and their donations will help pay my salary!)
Also, being a university, we have an open network. We have strict password policies, but intruders are a regular annoyance. Some of our users telnet in from remote sites and occasionally their passwords are sniffed. And even though it is strictly forbidden, we cannot physically prevent folks from running sniffers in our public PC labs or dorms. I'm sure the same is true at other schools. Yes, we are pushing folks to use ssh, etc. Yes, more and more of our networks are switched. I'm not getting into a network security vs. user convenience debate here. Suffice it to say, our policy is quite successful, but does let in an occasional intruder.
Our CIFS usage is still very small, but we expect it to increase. Eventually we'll have sniffed passwords and intruders on our filers. Some sort of logging would be very handy when investigating these incidents.
And finally, we regularly have to investigate cases of computer abuse. We have very well publicised and explicit computer abuse policies, but nevertheless, youthful exuberance cannot be squelched. So we have our share of pranksters, and jilted lovers, who send anonymous, forged, slanderous, and/or threatening email, etc. A big problem is folks who leave themselves logged in on a PC in a public lab or dorm. We've had web pages tampered with. One student did not even have a web page, but some of her "friends" found an abandoned login session of hers in a lab and built her a pornographic web page. Needless to say, she was extremely upset when her personal web page became a hit on the net and she started getting fan mail. And she didn't even know how to make a web page or how to take it down.
We fully expect users to forget to close their CIFS sessions in public labs and hence leave themselves open to tampering by other students. Some kind of logging would be very useful. For example, we would know in which lab or dorm room the session was left active. We could check the logs to see what other CIFS sessions were active in the lab at that time and ask these students if they saw or heard anything, etc.
In our environment, any logging that netapp can provide is probably useful to us in some way or another. For CIFS, the timestamp, loginid, and hostname or IP address of the login would be invaluable.
Steve Losen scl@virginia.edu phone: 804-924-0640
University of Virginia ITC Unix Support
-
sirbruce@ix.netcom.com -
Stephen C. Losen